mercurialgrabber | d70954b2e608f3d2f4561364035d3c4958743a668db083f21a7b216a820ca539

General

Target

fbae53e539c388e11c4f330ba6e2010f_JaffaCakes118
Size

2.0MB
Sample

240420-cfm5fade76
MD5

fbae53e539c388e11c4f330ba6e2010f
SHA1

2d16711a395bd0f27756fab2f4f744a4f3a9f4c4
SHA256

d70954b2e608f3d2f4561364035d3c4958743a668db083f21a7b216a820ca539
SHA512

b0ff9c987c836da8ac5df7dda796bd70509112e25fa3cd1eda895964b15ad211eecc159c9910925a4f001cec2d691c42c542c922660a3149393d05eb398c4e54
SSDEEP

24576:X0a/3paargPZtr1msdlDTtcSqxSrj8X27aBRmFMA9MxlCZ/W5DUulT777fcS:h3p9gLrIydqxy8Xf/m+Auxuy577

Score

10^/10

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/879456588325355560/3tZf_QDFmZ6QGOe8DwHiYbH3_1NLE4daVz3SuCc7otWv_q4f9i1UIPgEu_CjqmgzPeix

Extracted

Family

njrat

Version

v2.0

Botnet

clean

C2

lola111222.ddns.net:6611

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Targets

- Target
  
  fbae53e539c388e11c4f330ba6e2010f_JaffaCakes118
- Size
  
  2.0MB
- MD5
  
  fbae53e539c388e11c4f330ba6e2010f
- SHA1
  
  2d16711a395bd0f27756fab2f4f744a4f3a9f4c4
- SHA256
  
  d70954b2e608f3d2f4561364035d3c4958743a668db083f21a7b216a820ca539
- SHA512
  
  b0ff9c987c836da8ac5df7dda796bd70509112e25fa3cd1eda895964b15ad211eecc159c9910925a4f001cec2d691c42c542c922660a3149393d05eb398c4e54
- SSDEEP
  
  24576:X0a/3paargPZtr1msdlDTtcSqxSrj8X27aBRmFMA9MxlCZ/W5DUulT777fcS:h3p9gLrIydqxy8Xf/m+Auxuy577
Score

10^/10

mercurialgrabber njrat zgrat rat stealer trojan clean evasion persistence spyware
- Detect ZGRat V1
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2